Solved: Re: Help on a REX extract - and count

LizAndy123 · ‎01-27-2025

So I have an Index

Index= xxxxxx "Stopping iteration"

I have the rex for getting the unique Id

Event Sample : Stopping iteration - 1900000000: 2000 Files accepted

so my current REX is rex "Stopping\siteration[\s\-]+(?<stop_reg_id>[^:\s]+)" and it extracts the 1900000000

I want to extract the 2000 number and then do a count for 24 hours.

Any help would be great

richgalloway · ‎01-27-2025

One way is with addcoltotals

| rex "..."
``` more query stuff```
| addcoltotals file_count

---
If this reply helps you, Karma would be appreciated.

richgalloway · ‎01-27-2025

It would help to know what you've tried so far, but getting the other field is just a matter of extending the regex.

"Stopping\siteration[\s\-]+(?<stop_reg_id>[^:\s]+):\s*(?<file_count>\d+)"

---
If this reply helps you, Karma would be appreciated.

LizAndy123 · ‎01-27-2025

Thanks

This helps extracting the number - how do I do the sum at the end ?

in 24 hours I could have 96 * 2000 file uploads

richgalloway · ‎01-27-2025

One way is with addcoltotals

| rex "..."
``` more query stuff```
| addcoltotals file_count

---
If this reply helps you, Karma would be appreciated.

LizAndy123 · ‎01-27-2025

Hey Rich that works and I get the total at the bottom but it shows every single column also.

Example I had 98 Events and total was 157,000 but it shows every single event and the columns

richgalloway · ‎01-27-2025

If all you want is a single integer that is the total of all file_count values then stats is the way to go.

| rex "..."
``` more query stuff ```
| stats sum(file_count) as Total_Count

---
If this reply helps you, Karma would be appreciated.

LizAndy123 · ‎01-27-2025

So basically I need the total number of files I uploaded in a 24 hour period once I get that figure extracted

Help on a REX extract - and count